Collaboration and Engagement With Appropriate Third Parties: Best Practice Guide

COLLABORATION AND ENGAGEMENT WITH APPROPRIATE THIRD PARTIES
Traffic Light Protocol: White (May be shared in public forums)
COLLABORATION AND
ENGAGEMENT WITH
APPROPRIATE THIRD PARTIES
Best Practice Guide
Version 1.2
Traffic Light Protocol: White.
This information may be shared in public forums.
This Guide does not prescribe or require specific technical or organizational practices.
These are voluntary and aspirational practices, which may evolve over time.
Please see Section 1.2 for more information.
Version History
This is a living document, which will be periodically updated under direction of the Auto-ISAC Best
Practices Working Group. We will track any updates in the table below.
Version Notes:
Version Revision Date Notes

v1.0 29 March 2017
Changed from TLP Amber to TLP Green for release to
v1.1 10 July 2017
industry stakeholders via request on Auto-ISAC website
v1.2 18 January 2018 Changed from TLP Green to TLP White for release to the
public via request on Auto-ISAC website
i These are voluntary and aspirational practices, which may evolve over time.
Contents
Version History ..................................................................................................................................i
Section 1.0: Introduction ................................................................................................................. 1
1.1 Best Practices Overview ....................................................................................................... 1
1.2 Purpose ................................................................................................................................. 1
1.3 Scope .................................................................................................................................... 2
1.4 Audience ............................................................................................................................... 2
1.5 Guide Development .............................................................................................................. 2
1.6 Authority, Governance, and Maintenance ............................................................................ 3
Section 2.0: Collaboration and Engagement in Vehicle Cybersecurity ......................................... 3
2.1 Relevant Third Parties .......................................................................................................... 3
2.2 “The Openness Spectrum”.................................................................................................... 4
2.3 Risks of Collaboration and Engagement .............................................................................. 5
2.4 Benefits of Collaboration and Engagement .......................................................................... 6
Section 3.0: Best Practices ............................................................................................................. 8
3.1 Methods of Collaboration and Engagement ......................................................................... 8
3.2 Best Practices for Information Sharing ................................................................................. 8
3.3 Best Practices for Events .................................................................................................... 11
3.4 Best Practices for Programs .......................................................................................... 13
Appendix A: Glossary of Terms .................................................................................................... 16
Appendix B: Additional References and Resources .................................................................... 17
Appendix C: Acronyms ................................................................................................................. 19
ii These are voluntary and aspirational practices, which may evolve over time.
1 Section 1.0: Introduction

2 1.1 Best Practices Overview
3 This Best Practice Guide is one in a series intended to provide the automotive industry with
4 guidance on the Key Cyber Functions defined in the Automotive Cybersecurity Best Practices
5 Executive Summary:
6 1. Incident response
7 2. Collaboration and engagement with appropriate third parties
8 3. Governance and accountability
9 4. Risk assessment and management
10 5. Vehicle security by design
11 6. Threat detection and protection
12 7. Awareness and training
13 Guides offer greater detail to complement the high-level Executive Summary. This Guide aligns
14 to the “Collaboration and Engagement with Appropriate Third Parties” Function. Each
15 organization may use the Best Practices and this Guide as appropriate for their unique systems,
16 processes, and risks.
17 1.2 Purpose
18 The purpose of this Guide is to assist heavy and light-duty vehicle OEMs, suppliers and auto
19 industry stakeholders with collaborating and engaging appropriate third parties as part of their
20 vehicle cybersecurity activities.
21 This Guide provides forward-looking guidance without being prescriptive or restrictive. The third
22 party collaboration and engagement (3PCE) best practices are:
23 • Not Required. Organizations have the autonomy and ability to select and voluntarily adopt
24 practices based on their respective risk landscapes.
25 • Aspirational. These practices are forward-looking, and voluntarily implemented over
26 time, as appropriate.
27 • Living. Auto-ISAC plans to periodically update this Guide to adapt to the evolving
28 automotive cybersecurity landscape.
1 These are voluntary and aspirational practices, which may evolve over time.
29 1.3 Scope
30 This Guide discusses voluntary 3PCE, which is focused on enhancing vehicle
31 cybersecurity, with third parties across the connected vehicle ecosystem. The Guide will
32 describe the benefits, decision factors, and methods for voluntary 3PCE.
33 These best practices do not encompass actions that are explicitly required by U.S. or international
34 regulations, state laws, or legal agreements between private entities. For example, the Guide
35 does not cover contractually-obligated sharing with suppliers. However, organizations may use
36 these practices to inform voluntary engagement activities they pursue with their suppliers. The
37 Guide also does not include engagement with consumers—as they are not a third party.
38 Examples to clarify scope are listed in Figure 1.
FIGURE 1: SAMPLE 3PCE ACTIVITIES TO ILLUSTRATE GUIDE SCOPE
39 1.4 Audience
40 This Guide was written for use by OEMs, suppliers, the commercial vehicle sector, and other
41 vehicle cybersecurity stakeholders who are responsible for developing and executing 3PCE for
42 their organization.
43 1.5 Guide Development

44 The Auto-ISAC Best Practices Working Group wrote this guide, with support from Booz Allen
45 Hamilton vehicle cybersecurity SMEs, who facilitated the Guide’s development. The Working
46 Group comprised representatives from several Members and partners, including:
AT&T FCA Infineon Mobis
Auto Alliance Ford Kia Nissan
BMW Group General Motors Lear NXP
Continental Global Automakers LG Subaru
Cooper Standard Harman Magna Toyota
Cummins Honda Mazda Volkswagen
Delphi Honeywell Mercedes-Benz Volvo
DENSO Hyundai Mitsubishi Motors ZF
47 The Working Group also coordinated with several external stakeholders while developing this
48 Guide, including NHTSA, NIST, US-CERT, and CERT-CC.
49 1.6 Authority, Governance, and Maintenance

50 This Guide is written, maintained and may undergo periodic refresh under the direction of the
51 Auto-ISAC Best Practices Working Group. It is currently classified as Traffic Light Protocol Green,
52 and, as such, may be shared with Auto-ISAC Members and partners. Information in this category
53 is not to be shared in public forums.
54 Section 2.0: Collaboration and Engagement in Vehicle Cybersecurity

55 This section answers the “who,” “when,” and “why” to participate in 3PCE.
56 2.1 Relevant Third Parties

57 Automotive industry companies are part of a broad and expanding ecosystem. To enhance
58 vehicle cybersecurity, these companies may collaborate and engage with several types of third
59 parties across the connected vehicle ecosystem.
Industry Partners. Industry partners are organizations that are directly involved in the
design, manufacturing, selling, and maintenance of on-road vehicles. Collaboration and
engagement among industry partners helps enhance awareness of vehicle
cybersecurity matters that may impact their products or services. These groups include
original equipment manufacturers (OEMs), the OEM supply chain (Tiers 1, 2, and 3),
network providers (e.g. telecommunications providers), software providers, service
providers (e.g. consulting firms, security vendors), dealers, carriers, fleet owners and
operators, infrastructure operators (e.g. Smart Cities, V2X), aftermarket manufacturers
and suppliers, and independent repair shops.
Industry Organizations. Industry organizations include parties that either consist of or

represent industry partners to support a particular cause related to vehicle
cybersecurity, such as standards development, safety and security, information sharing,
or training. This group includes automotive trade associations, standards bodies, and
Auto-ISAC. These groups play a significant role in automotive cybersecurity industry
efforts.
Government. Government third parties include U.S. and international agencies that
play a role in the connected vehicle ecosystem. These include U.S. and international
regulatory agencies (e.g. NHTSA), non-regulatory federal agencies, state and local
governments, law enforcement agencies, and intergovernmental agencies (e.g.
INTERPOL). Collaboration and engagement with this group can help foster policy
decisions that enable vehicle cybersecurity advancements.
Academia. This group consists of universities and educational organizations that are
involved in programs, studies, research, and testing related to connected vehicle
products and services. Collaboration with academia is mutually beneficial; Industry is
able to solve current and future cybersecurity challenges while expanding research
opportunities for academic institutions.
Researchers. This group include the labs, consortia, research organizations, and
individual researchers and hobbyists comprising the “white-hat” connected vehicle
research community. This group conducts vehicle cybersecurity research and testing
on vehicles for the benefit of public safety and awareness. They can help organizations
stay apprised of the most up-to-date findings and leverage researcher expertise to
improve vehicle cybersecurity. 3PCE with the “black-hat” research community is out of
scope for this Guide.
Media. The media includes public content forums and advertising platforms that
showcase automotive-related stories. When content is accurate, the media offers an
effective way to communicate with current and potential customers about vehicle
cybersecurity, raise awareness about threats, and identify and respond to vehicle
cybersecurity-related news.
60 It can be helpful to establish a set of evaluation criteria to help vet and prioritize external third
61 parties, like those listed above, before collaborating and engaging on sensitive topics.
62 2.2 “The Openness Spectrum”

63 This Guide does not prescribe a particular level of external collaboration and engagement. Rather,
64 organizations can determine the right level of openness based on their individual vehicle
65 cybersecurity objectives and their unique risk landscape (Figure 2).
66 This Guide does not prescribe that organizations seek a particular level of external engagement.
67 Rather, it aims to define characteristics and decision factors for determining appropriate levels of
68 engagement, across the “openness spectrum,” based on certain situational variables, including
69 risk levels, timing, cost, and organizational capability. Organizations may choose to position
70 themselves at different points of the spectrum at different times and with different third parties.
71
FIGURE 2: OPENNESS SPECTRUM AND CONSIDERATIONS
72 At times, organizations may want to maximize 3PCE, but face roadblocks. Examples of these
73 potential roadblocks and sample mitigation strategies include:
74 • Potential Roadblock: Concerns over real or perceived anti-trust issues, and exposure of
75 intellectual property.
76 o Potential Mitigation: Use appropriate anti-trust warnings and create and
77 communicate appropriate non-disclosure agreements (see Section 3.2 for
78 additional measures)
79 • Potential Roadblock: Lack of clarity internally regarding domestic and international
80 regulatory requirements.
81 o Potential Mitigation: Communicate with government relations personnel and
82 regulators to gain clarity regarding expectations. (see Section 3.2 for additional
83 measures)
84 • Potential Roadblock: Concerns over adversarial market exposures.
85 o Potential Mitigation: Establish relationships dedicated to a specific objective with a
86 small set of collaborators to demonstrate value and build trust in third party
87 resources. (see Section 3.4 for additional measures)
88 • Potential Roadblock: Lack of sufficient tools and technology.
89 o Potential Mitigation: Share costs for technical infrastructure that allows for efficient
90 and secure engagement with third parties. (see Sections 3.2 and 3.3 for additional
91 measures)
92 • Potential Roadblock: Lack of proactive measures to establish communications channels.
93 o Potential Mitigation: Establish non-disclosure agreements (NDAs) and mutually
94 identify points of contact for critical third parties
95 The mitigations listed above are just a sample set. Please see the full list of Best Practices below
96 for additional mitigation ideas.
97 2.3 Risks of Collaboration and Engagement

98 3PCE can also carry risk, particularly when organizations do not implement relevant 3PCE Best
99 Practices. Organizations will benefit from identifying and proactively addressing the risks,
100 including the sample list highlighted below, to ensure that 3PCE helps—not hurts—vehicle
101 cybersecurity efforts.
102 Risks associated with 3PCE may include:
103 • Mismanaged resource allocation leading to deficiencies in other parts of the organization
104 • Sharing of incorrect or misleading information that could burn resources and weakens
105 cyber defense posture
106 • Disruption of established strategy or processes
107 • Accidental disclosure of intellectual property or other sensitive information
108 • Premature exposure of industry vulnerabilities before providing appropriate time for the
109 affected parties to react and mitigate an issue
110 • Increased levels of shared information, requiring time to filter and prioritize issues
111 • Confusion resulting from inconsistent or unclear reporting and response protocols
112 The Best Practices described in Section 3.0 may help organizations mitigate these risks as they
113 “move right” on the Openness Spectrum.
114 2.4 Benefits of Collaboration and Engagement

115 Working with appropriate third parties can deliver a wide variety of possible business benefits,
116 including: reducing vehicle cyber risk, enhancing operational performance, and reducing costs.
117 Organizations that often operate on the middle or right side of the “openness spectrum” discussed
118 in Section 2.2 may experience these benefits more frequently than those who tend to limit
119 engagement.
120 A primary way 3PCE benefits organizations is by mitigating vehicle cyber risk. Examples of this
121 include:
122 o Developing improved awareness of threat landscape through collective intelligence, such
123 as vulnerabilities, threats, actions, tools, techniques, and protocols (TTPs), and indicators
124 of compromise
125 o Understanding context of potential vehicle cyber events
126 o Assessing potential risk to the organization’s cyber posture
127 o Improving incident response capabilities
128 o Having established relationships and lines of communication in place for when things go
129 wrong, which can help expedite response
130 o Integrating cybersecurity expertise to aid development of vehicle cybersecurity solutions
131 o Applying traditional IT Security principles to related elements of the connected vehicle
132 ecosystem
133 o Identifying alternative testing strategies, techniques, and solutions
134 o Educating vehicle cybersecurity ecosystem stakeholders (e.g. business partners, dealers,
135 government organizations) to mitigate potential industry-wide risk
136 o Seeking independent evaluation of product cybersecurity capabilities
137 o Sharing best practices and standards across similar organizations
138 o Expanding access to adjacent technology
139 o Gaining knowledge of prior experiences, strategy, and solutions
140 o Participating in industry benchmarking to inform cyber priorities
141 3PCE pertaining to vehicle cybersecurity can also help improve business performance.
142 Examples of this include:
143 • Developing external relationships that can be leveraged during crisis management
144 • Increasing capacity through outsourcing
145 • Improving quality and design resulting from increased understanding of and attention to
146 internal products
147 • Reducing reliance on singular technology partners, avoiding the “lock-in” effect
148 3PCE pertaining to vehicle cybersecurity can also help organizations to lower costs. Examples
149 of this include:
150 • Reducing duplication of efforts across organizations

151 • Sharing risk of investment when multiple organizations contribute
152 • Expanding research opportunities through aggregation of multiparty technical and

153 financial resources
154 • Shortening development time for cyber solutions, leading to reduced development costs
155 • Improving incident response coordination, lowering the impact of a cyber event
156 Other potential benefits of 3PCE regarding vehicle cybersecurity may include:
157 • Enhancing industry reputation, leading to increased consumer confidence

158 • Improving recruiting opportunities
159 • Increasing readiness for the emergence of mobility solutions
160 • Creating new opportunities for innovation and “out-of-the-box” thinking
161 • Increasing access to global markets
162 • Controlling external messaging around notable events
163 .
164 Section 3.0: Best Practices

165 The purpose of this section is to define the primary methods for 3PCE and provide implementation
166 guidance specific to these methods. Organizations may augment these Best Practices and
167 accompanying narrative with the References listed in Appendix B.
168 3.1 Methods of Collaboration and Engagement

169 Effective 3PCE must be customized to meet the unique needs of each organization. In order to
170 provide meaningful and actionable Best Practices, this Guide defines three high-level 3PCE
171 methods under which 3PCE activities typically fall. Some activities align to multiple methods and
172 their corresponding best practices and thus may benefit from multiple sets of Best Practices.
173
FIGURE 3: METHODS OF COLLABORATION AND ENGAGEMENT
174 3.2 Best Practices for Information Sharing

175 Information sharing helps organizations take swift action on potential vehicle cybersecurity
176 incidents, threats, and vulnerabilities, keeps key stakeholders informed of vehicle cybersecurity
177 activities, and increases the industry’s collective vehicle cybersecurity knowledge.
178 Identify content that is helpful to share. When organizations clearly define “shareable”
179 information, they can take more deliberate collaborative actions when appropriate. Please see
180 the “Create processes to capture and push information to external third parties” section below for
181 more guidance on determining what to share with various groups.
182 Types of information that may be helpful to share with third parties include:
183 • Actionable information on past and present vehicle cybersecurity incidents

184 • Actionable information on past and present vehicle cybersecurity threats
185 • Actionable information on past and present vehicle cyber vulnerabilities
186 • Processes for responding to vehicle cybersecurity incidents
187 • Processes for detecting and protecting against vehicle cybersecurity threats (see
188 forthcoming Threat Detection and Protection Guide)
189 • Processes for finding and resolving vehicle cybersecurity vulnerabilities
190 • Vehicle cybersecurity organizational structure
191 • Research on vehicle cybersecurity
192 • Customer expectations and experiences regarding vehicle cybersecurity
193 • Industry vehicle cybersecurity trends
194 • Litigation trends related to vehicle cybersecurity incidents
195 • Future opportunities to collaborate on vehicle cybersecurity
196 Engage the right internal stakeholders. Vehicle cybersecurity information is often sensitive,
197 urgent, and multi-faceted. It is important to consider timely engagement of a wide variety of
198 internal groups in order to effectively exchange information with external third parties.
199 Internal stakeholders that may play a role when sharing vehicle cybersecurity information with
200 third parties include:
201 • Executive leadership and Board of Directors – for situational awareness and approvals
202 • Vehicle and enterprise IT cybersecurity analysts – for technical analysis, triage, and
203 remediation
204 • Engineering and Design – for supplier and customer coordination and developing and
205 implementing solutions
206 • Safety experts – for awareness of safety-critical issues
207 • Quality assurance experts – for differentiation between mechanical and cyber issues
208 • Communications experts – for internal and external messaging
209 • Public policy experts – for coordination with government liaisons
210 • Legal counsel – for risk mitigation and decision insights
211 • Supply chain experts – for coordination with suppliers and dealers
212 • Manufacturing plant operators – for issues affecting the assembly line
213 • Purchasing – for issues related to outsourced parts and services
214 • Customer service and warranty representatives– for communication with end customers
215 Create processes to take in and act on shared information. Once an organization receives
216 information from a third party, the next step is to ensure that the information goes to the right
217 person(s) for the appropriate action to be taken. Creating and documenting how different types of
218 information is managed and used allows individuals operating within an organization to maintain
219 clear lines of responsibility and authority.
220 Best Practices for collecting and using information shared by a third party include:
221 • Documented processes govern how to manage vulnerabilities, respond to incidents, and
222 protect against threats (See Incident Response Guide, and forthcoming Guides on Risk
223 Assessment and Management, and Threat Detection and Protection)
224 • An established protocol is shared with external third parties to enable consistent sharing
225 of information
226 • Consistent guidelines are used to assess third party information, including validity and
227 trustworthiness of external information
228 • An established process is used for consistent, secure dissemination and storage of
229 information within the organization
230 • A clear taxonomy enables common understanding internally and with third parties
231 • Legal and regulatory obligations are clearly understood
232 • An accurate vehicle asset inventory—including hardware, software, and code versions
233 and origins—provides rapid insights into production and post-production vehicles
234 • Internal stakeholders understand the organizational structure, including roles and
235 responsibilities of business units, POCs for external groups, and approval requirements
236 • When applicable, there is an ability to take in information through common, standardized
237 formats (e.g. CVE, STIX, TAXII) and via industry-wide forums (e.g. Auto-ISAC Portal)
238 Create processes to push information to external third parties. Before vehicle cybersecurity
239 information can be shared externally, organizations will want to determine how, what, and to
240 whom information is sent. Creating processes to capture and push information will enable timely
241 sharing and limit disclosure risks.
242 Best Practices for pushing vehicle cybersecurity information to third parties include:
243 • Processes for reviewing and approving the information reflect technical, business, and
244 legal perspectives
245 • A common approach and criteria define which third parties would benefit from the
246 information, timeframes for dissemination, mechanisms to share, and roles and
247 responsibilities to develop, review, approve and send the information
248 • Internal documentation and storage policies are based on the type of information and the
249 destination, and align with regulatory requirements
250 • Defined metrics rank information by priority and sensitivity, including an assessment of the
251 information’s impact on vehicle safety and personal privacy
252 • Organizations and third parties have non-disclosure agreements or other confidentiality
253 agreements in place, if necessary, to safeguard information
254 • Organizations are able to push out information through standardized formats (e.g. CVE,
255 STIX, TAXII) and through industry-wide platforms (e.g. Auto-ISAC Portal) as appropriate
256 Acquire appropriate tools and technologies. At times, organizations will want to share
257 information with a very limited number of external parties, while at others, they will want to widely
258 broadcast the information. Some information will need to be kept anonymous, confidential, or
259 secure when it is shared. A suite of information sharing tools will help to accommodate these
260 requirements and allow organizations to engage third parties efficiently and reliably. Sample tools
261 and technologies that may be used to share or receive vehicle cybersecurity information include:
262 • Secure web portals (e.g. Auto-ISAC Portal)

263 • Secure file sharing and transfer applications
264 • Audio and visual conferencing platforms
265 • Press releases
266 • Social media
267 • Contact relationship management software
268 • Shared email accounts or “Contact Us” webpages to provide a single entry point for third
269 parties to contact an organization’s cyber team(s)
270 3.3 Best Practices for Events

271 Events allow organizations to collaborate and engage with third parties on vehicle cybersecurity
272 in a broader, more inclusive setting. Events often include a variety of experts on a particular topic,
273 giving the discussion credibility and leading to productive idea exchange.
274 Identify the types of events to design or attend. Participating in a variety of events can help
275 organizations build specific capabilities, particularly when they prioritize those that meet specific
276 internal needs and are feasible based on available resources. Characteristics of successful
277 events can be found below under the section titled “Design and execute 3PCE events.”
278 Types of events that support vehicle cybersecurity capabilities include:
279 • Incident Response (IR) Exercises. Opportunities to build relationships with response-
280 relevant third-parties through a variety of exercises—including tabletops, wargames, drills,
281 and threat scenario workshops—where participants simulate vehicle cyber incident
282 response processes through a scenario
283 • Cyber Challenges. Challenge-based events—including hackathons and code-athons—
284 in which software developers and/or engineers collaborate to produce a prototype, proof
285 of concept, or cybersecurity solution
286 • Conferences. Formal meetings designed to promote information sharing through
287 presentations, networking, and discussion panels.
288 • Webinars. Remote information sharing sessions led by subject matter experts on a
289 specific topic
290 • Workshops. Collaborative working group sessions that bring together diverse experts to
291 produce specific content (e.g. Best Practices Workshops)
292 • Press Events. Media events designed to share news or announcements
293 As illustrated in Figure 4, each type of event has its own set of potential benefits and value
294 proposition. Some events (e.g. Exercises) provide more value when performed on a regular
295 schedule, while others may be done on a more ad-hoc basis. Organizations may consider an
296 appropriate cadence based on their risk landscape and resources to maximize value and avoid
297 event fatigue or overinvestment.
Cyber Press
Benefits Exercises Conferences Webinars Workshops
Challenges Events
Networking X X X
Capability
Improvement
X X X X X
Process
X X X
Improvement
External
X X X
Communication
Recruitment X X X
Industry
Alignment
X X X
298 FIGURE 4: BENEFITS OF EVENTS
299 Design and execute 3PCE events. Designing and executing events allows automotive industry
300 organizations to better align events to their specific needs. It may also help to establish the
301 organization as an industry leader in vehicle cybersecurity, improving brand image and recruiting.
302 Sometimes, cybersecurity events can be incorporated into existing events or working
303 relationships to avoid duplication of efforts.
304 Best Practices for designing and executing 3PCE events related to vehicle cybersecurity include:
305 • Invitations are distributed within and across industries to bring together expertise and
306 foster collaboration
307 • Guidelines for participant behavior and use of information controls (e.g. confidentiality,
308 ownership agreements) are clearly articulated and documented
309 • Appropriate legal and ethical oversight is on-hand
310 • Anti-trust statements are read aloud before commencing the event
311 • Consideration is given to relevant international concerns (e.g. policy variations, language
312 barriers, etc.)
313 • Logistics and scheduling enable widespread participation by avoiding conflicting events
314 and largely inconvenient locations
315 • A specific focus of the event is determined and articulated at the beginning of event
316 planning
317 • Appropriate staffing and resources are in place to accommodate the event’s scale
318 • Recognized subject matter experts are invited and able to attend
319 Participate in 3PCE events designed by third parties. Participating in other organizations’
320 events allows automotive industry organizations to benefit from events without committing
321 significant time and resources. It also may help build new capabilities and explore areas outside
322 of an organization’s core competencies.
323 Best Practices for participating in 3PCE events pertaining to vehicle cybersecurity designed by
324 third parties include:
325 • Participants’ roles and responsibilities are aligned with the event’s topic of interest
326 • Participants are aware of anti-trust guidelines
327 • Participants are aware of what they are (and are not) permitted to share with event
328 attendees
329 • Participants are prepared to capture insights from the event and provide a recap to the
330 organization
331 3.4 Best Practices for Programs

332 Vehicle cybersecurity programs offer an opportunity to engage in longer term initiatives around a
333 specific goal with third parties.
334 Identify relevant 3PCE programs. Engaging in vehicle cybersecurity programs can help all
335 facets of vehicle cybersecurity and provide a seat at the table for collective industry decisions. In
336 some cases, resource constraints may limit the number of programs in which an organization can
337 participate, requiring an internal prioritization methodology. Where funding and resources are
338 limited, weighing program requirements, benefits, and relevance will help determine which
339 programs to prioritize.
340 Types of 3PCE programs pertaining to vehicle cybersecurity include:
341 • Intelligence Sharing Programs: Organizational or industry-wide programs to encourage

342 the disclosure, triage, and remediation of vehicle cybersecurity vulnerabilities
343 o Examples include: Auto-ISAC, US-CERT, and the National Vulnerability Database
344 (NVD)
345 • Vulnerability Disclosure Programs: Programs that encourage third parties to report
346 vulnerabilities they find directly to the producer of the product. These programs may be
347 incentivized by monetary payments or other rewards. They may be run in-house or be
348 operated by a third-party vendor.
349 o Examples include: individual company coordinated disclosure programs and third
350 party-operated coordinated disclosure programs.
351 • Standards Development. Collaborative efforts to develop vehicle and product
352 cybersecurity standards
353 Examples include: SAE J3061A: Cybersecurity Guidebook for Cyber-Physical
354 Vehicle Systems, ISO/AWI 21434: Road Vehicles -- Automotive Security
355 Engineering, and OASIS STIX/TAXII
356 • Research Projects. Joint research ventures regarding a specific vehicle cybersecurity
357 topic
358 o Examples include: University partnerships, SAE J3061 Table 35, government-
359 sponsored research (e.g. NHTSA’s Vehicle Research and Test Center (VRTC),
360 Automotive Cybersecurity Industry Consortium (ACIC), and Transportation
361 Research Board (TRB))
362 • Strategic Talent Development. Ongoing activities designed to train, educate, and recruit
363 individuals with roles and responsibilities pertaining to vehicle cybersecurity
364 o Examples include: Mentorship programs, certifications, and continuing education
365 Figure 5 outlines the potential benefits and outputs that automotive industry organizations can
366 expect from each program type.
Type of Program Benefits and Outputs
• Awareness of threat and vulnerability information

• Improved cybersecurity processes
Intelligence Sharing • Customer protection
• Reduced repair requirements
• Insight into past solutions and prevention techniques
• Awareness of threat and vulnerability information
• Improved vulnerability management
Vulnerability • Customer protection
Disclosure • Reduced repair requirements
• Brand protection and enhancement
• Recruiting opportunities
• Technical standards, guidelines, and reports
Standards
Development • Inform regulatory policy
• Insight into past solutions and prevention techniques
• In-depth research reports

Research Projects • Information that aids security decision making processes
• Guidance on resource allocation and activity prioritization
• Skills development
Strategic Talent
Development
• Exchange of ideas
• Recruiting opportunities
367 FIGURE 5: BENEFITS AND OUTPUTS OF PROGRAMS
368 Design and execute 3PCE programs. Designing and executing programs allows automotive
369 industry organizations to better align programs to their needs. It also helps to establish the
370 organization as an industry leader in vehicle cybersecurity, improving brand image and recruiting.
371 Best Practices for designing and executing 3PCE programs with third parties related to vehicle
372 cybersecurity include:
373 • Planning teams are aware of internal confidentiality and privacy requirements and able to
374 communicate them to third parties
375 • There is a process to assess participating third parties’ value proposition and reputation
376 • Programs are designed to acquire different perspectives and additional knowledge within
377 a defined group of organizations
378 • Appropriate business, technical, and legal resources are provided for the program
379 • The program has a defined scope that is unique and relevant to all parties
380 • Organizers consider appropriate incentives and motivations to encourage sufficient
381 participation in the program
382 • Organizers take ownership of the program’s outcomes
383
384 Participate in 3PCE programs designed by third parties. Participating in other organizations’
385 programs allows automotive industry organizations to benefit from programs without committing
386 significant time and resources. It also may help build new capabilities and explore areas outside
387 of an organization’s core competencies.
388 Best Practices for participating in 3PCE programs with third parties dedicated to vehicle
389 cybersecurity include:
390 • Participants’ roles and responsibilities are aligned with the program’s topic of interest
391 • Participants are aware of anti-trust guidelines
392 • Participants are aware of what they are (and are not) permitted to share with other program
393 participants
394 • Participants have an ability to document and publish program findings either internally or
395 publicly, as appropriate
396 • Participants have defined a process to review program results prior to sharing findings
397 Appendix A: Glossary of Terms

398 3PCE terms used in this Guide are defined below.
TERM DEFINITION
Black Hat Malicious and/or criminal cyber threat actors
Voluntary information sharing activities, events and programs that

Collaboration and Engagement auto industry stakeholders may pursue with external stakeholders
to enhance their vehicle cyber security
The components and infrastructure on or connected to the vehicle

(e.g. product hardware and software, intellectual property, mobile
applications, customer data, vehicle data, and
Connected Vehicle Ecosystem
supplier/manufacturing networks, and applications), as well as the
processes and organizations that directly or indirectly touch the
vehicle, and may play a role in vehicle cybersecurity
Focused, short-term activities to bring together diverse groups of
Events
experts
Information Sharing Efforts to share data, research and other insights
Mitigation Strategy Potential approach to minimize risks and roadblocks
Programs Longer-term initiatives to pool resources toward a specific goal
Roadblock Potential issue that could impede 3PCE initiatives
An organization or individual outside of one’s organization, that

Third Party
may contribute to vehicle cybersecurity
The activities, processes, and capabilities that protect, detect and

respond to cyber occurrences (e.g. remote control, unauthorized
Vehicle Cybersecurity access, disruption, manipulation) that actually or potentially result
in adverse consequences to a vehicle, connected infrastructure, or
information that the vehicle processes, stores, or transmits
Researchers and/or ethical hackers who act to promote and/or

White Hat
enhance vehicle cybersecurity
399
400 Appendix B: Additional References and Resources

401 The following References and Resources provide additional content and expertise for
402 organizations to consider in conjunction with the Best Practices discussed in this Guide.
REFERENCES – DOCUMENTS THAT MAY OFER ADDITIONAL IMPLEMENTATION GUIDANCE
ABA - What To Do When Your Data is Breached <link>
AT&T - Hackathon Best Practices <link>
FTC/DOJ - Memo on Anti-Trust Policy Related to Information Sharing <link>
ISO/IEC 29147 - Information technology - Security Techniques - Vulnerability Disclosure <link>
Naval War College - Using Wargames for Command and Control Experimentation <link>
NTIA - Coordinated Vulnerability Disclosure “Early Stage” Template and Discussion <link>
NTIA - Vulnerability Disclosures Attitudes and Actions <link>
NIST – 800 Series <link>
Open Group –Leveraging Open Trusted Technology Partners in the Supply Chain <link>
PAXSims - Teaching Professional Wargaming
SAE International - Cyber Talent Development Events <link>
Tech Crunch - Hackathon Planning in Less Than 10 Steps <link>
University of Minnesota - Guidance on Setting up Tabletop Exercises <link>
US-CERT - External Dependencies Management – US-CERT <link>

403
RESOURCES – ORGANIZATIONS THAT MAY OFFER ADDITIONAL INSIGHTS
Auto-ISAC <link> (For sharing potential vulnerabilities, threats and other information. You are not
required to be a Member to share information with Auto-ISAC. Membership eligibility information is also
available on the link provided.)
Consumer Technology Association (CTA) <link>
CERT-CC <link>
DHS – ICS-CERT <link>
FCC Communications Security, Reliability, and Interoperability Council <link>
RESOURCES – ORGANIZATIONS THAT MAY OFFER ADDITIONAL INSIGHTS
Federal Emergency Management Agency (FEMA) <link>
First.org <link>
Food and Drug Administration (FDA) <link>
DHS, Science and Technology <link>
DHS, Cyber Information Sharing and Collaboration Program <link>
Institute of Electrical and Electronics Engineers (IEEE) <link>
International Organization for Standardization (ISO) <link>
National Cybersecurity and Communications Integration Center (NCCIC) <link>
National Telecommunications and Information Administration (NTIA) <link>
National Vulnerability Database (NVD) <link>
NIST Computer Security Division <link>
Ready.gov <link>
SAE International <link>
US-CERT <link>
Volpe <link>
404
405 Appendix C: Acronyms

406 3PCE Third Party Collaboration and Engagement
407 ABA American Bar Association
408 Auto-ISAC Automotive Information Sharing and Analysis Center
409 CAMP Crash Avoidance Metrics Partnership
410 CERT-CC Computer Emergency Readiness Team Coordination Center
411 CTA Consumer Technology Association
412 DHS Department of Homeland Security
413 DoT Department of Transportation
414 FDA Food and Drug Administration
415 FEMA Federal Emergency Management Agency
416 ICS-CERT Industrial Control Systems Cyber Emergency Response Team
417 IEEE Institute of Electrical and Electronics Engineers
418 IR Incident Response
419 ISO International Organization for Standardization
420 IT Information Technology
421 MOU Memorandum of Understanding
422 MTC Mobility Transformation Center
423 NCCIC National Cybersecurity and Communications Integration Center
424 NDA Non-Disclosure Agreement
425 NHTSA National Highway Traffic Safety Administration
426 NIST National Institute of Standards and Technology
427 NTIA National Telecommunications and Information Administration
428 NVD National Vulnerability Database
429 OEM Original Equipment Manufacturer
430 POC Point of Contact
431 SME Subject Matter Expert
432 US-CERT United States Computer Emergency Readiness Team
433 VRTC Vehicle Research and Test Center

Collaboration and Engagement With Appropriate Third Parties: Best Practice Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Collaboration and Engagement With Appropriate Third Parties: Best Practice Guide

Uploaded by

Copyright:

Available Formats

COLLABORATION AND ENGAGEMENT WITH APPROPRIATE THIRD PARTIES

Traffic Light Protocol: White (May be shared in public forums)

Traffic Light Protocol: White.

This information may be shared in public forums.

Version Revision Date Notes

1 Section 1.0: Introduction

FIGURE 1: SAMPLE 3PCE ACTIVITIES TO ILLUSTRATE GUIDE SCOPE

43 1.5 Guide Development

49 1.6 Authority, Governance, and Maintenance

54 Section 2.0: Collaboration and Engagement in Vehicle Cybersecurity

56 2.1 Relevant Third Parties

Industry Organizations. Industry organizations include parties that either consist of or

62 2.2 “The Openness Spectrum”

FIGURE 2: OPENNESS SPECTRUM AND CONSIDERATIONS

97 2.3 Risks of Collaboration and Engagement

114 2.4 Benefits of Collaboration and Engagement

150 • Reducing duplication of efforts across organizations

152 • Expanding research opportunities through aggregation of multiparty technical and

157 • Enhancing industry reputation, leading to increased consumer confidence

164 Section 3.0: Best Practices

168 3.1 Methods of Collaboration and Engagement

174 3.2 Best Practices for Information Sharing

183 • Actionable information on past and present vehicle cybersecurity incidents

262 • Secure web portals (e.g. Auto-ISAC Portal)

270 3.3 Best Practices for Events

331 3.4 Best Practices for Programs

341 • Intelligence Sharing Programs: Organizational or industry-wide programs to encourage

Type of Program Benefits and Outputs

• Awareness of threat and vulnerability information

• In-depth research reports

397 Appendix A: Glossary of Terms

Black Hat Malicious and/or criminal cyber threat actors

Voluntary information sharing activities, events and programs that

The components and infrastructure on or connected to the vehicle

Information Sharing Efforts to share data, research and other insights

Mitigation Strategy Potential approach to minimize risks and roadblocks

Programs Longer-term initiatives to pool resources toward a specific goal

Roadblock Potential issue that could impede 3PCE initiatives

An organization or individual outside of one’s organization, that

The activities, processes, and capabilities that protect, detect and

Researchers and/or ethical hackers who act to promote and/or

400 Appendix B: Additional References and Resources

REFERENCES – DOCUMENTS THAT MAY OFER ADDITIONAL IMPLEMENTATION GUIDANCE

ABA - What To Do When Your Data is Breached <link>

AT&T - Hackathon Best Practices <link>

FTC/DOJ - Memo on Anti-Trust Policy Related to Information Sharing <link>

ISO/IEC 29147 - Information technology - Security Techniques - Vulnerability Disclosure <link>

NTIA - Vulnerability Disclosures Attitudes and Actions <link>

NIST – 800 Series <link>

PAXSims - Teaching Professional Wargaming

SAE International - Cyber Talent Development Events <link>

Tech Crunch - Hackathon Planning in Less Than 10 Steps <link>

University of Minnesota - Guidance on Setting up Tabletop Exercises <link>

US-CERT - External Dependencies Management – US-CERT <link>

Consumer Technology Association (CTA) <link>

DHS – ICS-CERT <link>

FCC Communications Security, Reliability, and Interoperability Council <link>

RESOURCES – ORGANIZATIONS THAT MAY OFFER ADDITIONAL INSIGHTS

Federal Emergency Management Agency (FEMA) <link>

Food and Drug Administration (FDA) <link>

DHS, Science and Technology <link>

DHS, Cyber Information Sharing and Collaboration Program <link>

Institute of Electrical and Electronics Engineers (IEEE) <link>